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METHOD OF SECURE COMMUNICATION 
OVER A DISTRIBUTED NETWORK 
WITHOUT USING SECURE SOCKET LAYER 

BACKGROUND 



More 



1 . Field of the Invention 
The invention relates to network cc 

specifically, the invention relates to se 

between network devices without the use of secure socket 10 

2. Background 

With the proliferation of the internet, the need and desir- 
ability of managing devices over a distributed network in a 
secure manner continues to increase. Typical web browsers 15 
support Java, Java Script, frames and forms. However, the 
contents of such frames, forms, and even the Java Script 
passed between a web browser and a web server is typically 
freely visible to potential third parties snooping the web 
traffic. To ensure proper management and to avoid inten- 20 
tional and unintentional acquisition of sensitive data by third 
parties, the exchange between a browser and a device under 
management, should be secure, e.g., both authenticated and 
encrypted. 

To permit secure communication between network nodes, 25 
Secure Socket Layer ("SSL") was developed by Netscape 
Communications Corporation as a protocol to permit 
encrypted communications. SSL is layered under Hypertext 
Transfer Protocol ("HTTP") and Above Transmission Con- 
trol Protocol/Internet Protocol ("TCP/IP"). SSL is used by 30 
HTTPS as access methods. Unfortunately, SSL requires 
third party authentication, embedded certificates and 
exchange of certificates when the host name is changed. For 
these and other reasons, it is not suitable for management of 
embedded network appliances or certain other environments 35 
in which secure communication is desirable. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The invention is illustrated by way of example and not by 40 
way of limitation in the figures of the accompanying draw- 
ings in which like references indicate similar elements. It 
should be noted that references to "an" or "one" embodi- 
ment in this disclosure are not necessarily to the same 
embodiment, and such references mean at least one. 45 

FIG. 1 is a block diagram of the system of one embodi- 
ment of the invention. 

FIG. 2a is a schematic diagram of the frames sent from a 
Device Under Management in one embodiment of the J0 
invention. 

FIG. 2b is a schematic diagram representative of a layout 
for a concatenated string for one embodiment of the inven- 
tion after decryption. 

FIG. 3 is flow diagram of operation on the Device Under 55 
Management in one embodiment of the invention. 

FIG. 4 is a flow diagram of operation on external node in 
one embodiment of the invention. 

DETAILED DESCRIPTION 60 

FIG. 1 is a block diagram of the system of one embodi- 
ment of the invention. A Device Under Management 
("DUM") 100 is coupled to a distributed network such as 
internet 102. External node 104 is also coupled to internet 65 
102. External node 104 may be used to manage DUM 100 
over the internet 102. There may be an arbitrarily large 



number of DUM's coupled with the internet 102 up to 
DUM^, 108 with each device manageable by external node 
104. 

In one embodiment, external node 104 may be any 
internet access device that supports Java, Java Script, frames 
and forms. In one embodiment, external node 104 may be a 
personal computer (PC) executing a web browser such as 
Microsoft Explorer® or Netscape Navigator®. As previ- 
ously noted, such browsers support Java, Java Script, frames 
and forms. DUM 100 may be any network element including 
an embedded network appliance, such as the|lnterjak™j200 
available from Filanet Corporation of Sunnyvale, Calif. 
DUM 100 may provide web server functions, or for 
example, a fire wall for clients 106. 

When external node 104 first requests secure access to 
DUM 100, such as, for example, management access, device 
100 serves a frame containing an embedded security applet 
to external node 104. In one embodiment, the security applet 
is a Java applet. In another embodiment, the security applet 
may be realized using embedded Java Script code. The 
security applet generates a login window on the external 
node 104. A user can then enter their required login data to 
gain access to the DUM 100. As used herein, "login data" 
may include a user I.D., a password, or both. The security 
applet encrypts the login data and sends the encryption login 
data over the internet 102 to DUM 100. In one embodiment, 
the login data is encrypted with a random key generated in 
DUM 100 and sent to the external node as part of the Java 
Script code within the login page. DUM 100 decrypts the 
login data and determines if the login data is valid. If the 
login data is valid, it is used as a basis for a key for all 
subsequent encryption. As used herein to serve "as a basis 
for the key" is deemed to include, without limitation, direct 
usage as the key, usage of all or part of the login data as a 
seed for a pseudo random number generator to generate a 
pseudo random key, and indirect use, such as using the login 
data to encrypt a known data set and using the encrypted 
known data set as the key for subsequent encryption or using 
a hash of the login data as the key. When the login data is 
used directly, longer login data will yield stronger encryp- 

Subsequent pages are provided to the external node 104 as 
subframes of the frame containing the security applet. Such 
subframes include the form having blank fields, a concat- 
enated string of the field values with a digital signature all 
separated by appropriate delimiters and encrypted using the 
login data based key, and a script to decode and distribute the 
string. In one embodiment, the script is a Java Script. In one 
embodiment, 3DES (3 Data Encryption Standard) encoding 
is used. In one embodiment, the encoded string is transferred 
into the Java Script section of the web page together with a 
Java Script to decode the string and distribute it to the fields 
appropriately. If the user modifies the fields at the external 
node 104, the script provided as part of the page will 
concatenate at least the modified fields, digitally sign and 
encrypt the concatenated string. In one embodiment, only 
the modified fields are concatenated. In an alternative 
embodiment, all field values are concatenated if any field is 
modified. In one embodiment, the Java Script hooks into the 
security applet which performs the heavy lifting of the 
encrypting and signing function. 

FIG. 2a is a schematic diagram of the frames sent from a 
Device Under Management in one embodiment of the 
invention. Parent frame 200, which has resident security 
applet (not shown), remains active on the external node for 
the entire secure session. As explained below, by retaining 
login data and using that data as a key basis for encryption 
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8. The method of claim 6 wherein the security applet is a 
locally executed applet to perform decryption of the string 
subsequently sent using a key word from the login data. 

9. The method of claim 6 further comprising: 
comparing the login data to a valid login data to identify 5 

if the user is valid; and 
denying access if the user node is not valid. 

10. An internet access device having executable instruc- 
tions that when executed, perform actions comprising: 

accepting a frame having a resident security applet; 10 
receiving a subframe including a form with a plurality of 
blank fields; 

receiving an encrypted string of concatenated data; 
locally decrypting the encrypted string with the security 

applet; and is 
distributing a plurality of portions of the decrypted string 

to the plurality of blank fields in the form. 

11. The internet access device of claim 10 wherein 
distributing comprises: 

parsing the string delimited by embedded length and data 20 
type. 

12. The internet access device of claim 10 further com- 
prising: 

accepting user modification of a field in the form; 
concatenating data into a string from at least one of the 25 

plurality of fields, including at least a content of the 

field modified; 
encrypting the string using the security applet; and 
transmitting the string to a remote node. 

13. The internet access device of claim 10 further com- 30 
prising: 

deriving a key from login data supplied by a user. 

14. The internet access device of claim 12 wherein an 
encryption key is based on login data received from a user. 

15. The internet access device of claim 10 further com- 35 
prising: 

generating a login window within the frame; 
receiving login data from a user; and 
receiving the login data in the security applet. 

16. A computer readable storage media containing execut- 40 
able computer program instructions which when executed 
cause a digital processing system to perform a method 
comprising: 

concatenating data for a plurality of fields of a requested 

web page into a string; 45 
encrypting the string; 

serving to a user node, the web page and a form corre- 
sponding to the requested web page that includes a 
blank field in each of the plurality of fields and the 
encrypted string; and 
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enabling at least the encrypted string to be locally 
decrypted and distributed into each respective blank 
field at the user node. 

17. The computer readable storage media of claim 16 
which when executed cause a digital processing system to 
perform a method further comprising: 

appending a digital signature to the string prior to encryp- 

18. The computer readable storage media of claim 16 
which when executed cause a digital processing system to 
perform a method further comprising: 

inserting the string and a script into a defined portion of 
the web page to be served. 

19. The computer readable storage media of claim 18 
which when executed cause a digital processing system to 
perform a method further comprising: 

the defined portion is a locally executed script section of 
the web page. 

20. The computer readable storage media of claim 16 
which when executed cause a digital processing system to 
perform a method further comprising: 

serving a script within the web page, the script to decrypt 
the string and apportion the string to the blank fields. 

21. The computer readable storage media of claim 16 
which when executed cause a digital processing system to 
perform a method further comprising: 

serving a security applet to the user node; and 
receiving login data from the user node encrypted by the 
security applet. 

22. The computer readable storage media of claim 2l|the 
login data forms a basis for a key used to encrypt the string. 

23. The computer readable storage media of claim 21 
wherein the security applet is a locally executed applet to 
perform decryption of the string subsequently sent using a 
key word from the login data. 

24. The computer readable storage media of claim 21 
which when executed cause a digital processing system to 
perform a method further comprising: 

comparing the login data to a valid login data to identify 

if the user is valid; and 
denying access if the user node is not valid. 



